Multiple breaches add up to multimillion dollar settlement for clinic network

February 2, 2018
Medicare Web

Fresenius Medical Care North American (FMCNA), a multistate clinic and provider network specializing in chronic kidney failure treatment, agreed to a $3.5 million HIPAA violation settlement, the Office for Civil Rights (OCR) announced February 1.

The settlement is tied to five separate breaches that FMCNA reported to OCR in 2013. Each breach occurred at a different FMCNA-owned entity:

  • Fresenius Medical Care Ak-Chin in Maricopa, Arizona (June 2012)
  • Fresenius Medical Care Blue Island Dialysis in Blue Island, Illinois (June 2012)
  • Fresenius Medical Care Duval Facility in Jacksonville, Florida (February 2012)
  • Fresenius Medical Care Magnolia Grove in Semmes, Alabama (April 2012)
  • Fresenius Vascular Care Augusta, in Augusta, Georgia (June 2012)

No single breach affected 500 or more individuals. The Magnolia Grove breach affected the highest number of individuals, 245, while the August breach affected only 10 individuals. Cumulatively, the breaches affected 521 individuals. Typically, OCR’s enforcement actions focus on large breaches, those affecting 500 or more individuals. Smaller breaches, those affecting fewer than 500 individuals, are investigated as resources permit. Small breaches are also subject to different reporting requirements; large breaches must be reported to OCR within 60 days of the discovery of the breach while small breaches can be submitted to OCR on a single annual report. Although OCR is not required to treat small breaches as cumulative, the agency has stated that intends to investigate more small breaches, particularly if an entity reports multiple small breaches.

Each individual breach was the result of different unaddressed risks such as failure to implement policies and procedures to address security incidents or failure to implement encryption. OCR’s investigators determined that ultimately FMCNA did not conduct an accurate and thorough enterprisewise risk analysis and did not implement an enterprisewide risk management plan. Roger Severino, director of OCR, stressed the critical role an enterprisewide risk analysis and management plan plays in HIPAA compliance.

Related Topics: 
HIPAA